I've been testing Express Provisioning with our product and was getting a console error from our application server:
ERROR [LdapExpressProvisioningProcessor] There was an error provisioning the user. Insufficient privileges provided: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]; remaining name 'CN=john,CN=Users,DC=dev,DC=global'
I had to do some queries on Google but found that I had to change the permissions for the user I logged in with to the LDAP datastore.
For Active Directory I had add the user to Administrators. That was accomplished by right-clicking on the user, selecting Properties and then selecting Member Of. I typed in Administrators and added that group to the user and then was able to accomplish provisioning to LDAP accounts on the Active Directory server.